1994-04-19 - Re: Press Release on Secure NCSA Mosiac

Header Data

From: hfinney@shell.portal.com
To: cypherpunks@toad.com
Message Hash: fad355a712cc53b5ef2365d74d764eb8e6960ff16cc070db55de24c5167153c2
Message ID: <199404191608.JAA03753@jobe.shell.portal.com>
Reply To: N/A
UTC Datetime: 1994-04-19 16:07:15 UTC
Raw Date: Tue, 19 Apr 94 09:07:15 PDT

Raw message

From: hfinney@shell.portal.com
Date: Tue, 19 Apr 94 09:07:15 PDT
To: cypherpunks@toad.com
Subject: Re:  Press Release on Secure NCSA Mosiac
Message-ID: <199404191608.JAA03753@jobe.shell.portal.com>
MIME-Version: 1.0
Content-Type: text/plain


> This secure version of NCSA Mosaic allows users to affix digital signatures 
> which cannot be repudiated and time stamps to contracts so that they become 
> legally binding and auditable.  In addition, sensitive information such as 
> credit card numbers and bid amounts can be securely exchanged under 
> encryption.  Together, these capabilities provide the foundation for a broad 
> range of financial services, including the network equivalents of credit and 
> debit cards, letters of credit and checks.

I doubt that these electronic financial instruments will be designed to
offer new protections to individual privacy.  As more commerce moves onto the
net, opportunities for database linking will multiply drastically.  In such
an environment, electronic dossiers of buying and spending habits will be
far easier to develop.

> To effectively employ public-key cryptography, an infrastructure must be 
> created to certify and standardize the usage of public key certificates. 
> CommerceNet will certify public keys on behalf of member companies, and will 
> also authorize third parties such as banks, public agencies and industry 
> consortia to issue keys.

So once again we have the command-and-control style key certificate
hierarchy.  Everyone is neatly ordered and positioned in the
structure.  A place for everyone and everyone in his place.

> Such keys will often serve as credentials, for 
> example, identifying someone as a customer of a bank, with a guaranteed 
> credit line. 

I suppose it goes without saying that the kinds of privacy-protecting
credentials we have been discussing are not what is being discussed here.
Rather, we have more authentication, more registration, more tracking of
every electronic financial move we make.

> Significantly, all of the transactions involved in doing routine purchases 
> from a catalog can be accomplished without requiring buyers to obtain public 
> keys.  Using only the server's public key, the buyer can authenticate the 
> identity of the seller, and transmit credit card information securely by 
> encrypting it under the seller's public key. Because there are fewer servers 
> than clients, public key administration issues are greatly simplified. 

Evidently the "commerce" that is being planned here does not anticipate much
demand for encryption of messages from sellers to buyers; rather, the
important thing is encryption in the opposite direction to protect those
credit card numbers.  This also, of course, limits RSA's financial commitment
in making its technology available; my reading is that end-users get only the
ability to validate signatures for free, and that getting to use their own keys
will involve royalty payments.

> Secure-HTTP enables incorporation of a variety of cryptographic standards, 
> including, but not limited to, RSA's PKCS-7, and Internet Privacy Enhanced 
> Mail (PEM), and supports maximal interoperation between clients and servers 
> using different cryptographic algorithms.

I was pleased to see that in their later message they added support for
PGP to this list, although it seems that they are still thinking mostly in
terms of "officially sanctioned" systems:

> Cryptosystem and signature system 
> interoperation is particularly useful between U.S. residents and non-U.S. 
> residents, where the non-U.S. residents may have to use weaker 40-bit keys in 
> conjunction with RSA's RC2 and RC4 variable keysize ciphers.

This is outrageous!  Where on earth did they get the idea that non-U.S.
residents have access only to 40 bit keys and RC2/RC4?  As though the only
encryption the rest of the world has is whatever the U.S. government deigns
to let cross its borders?  What an insult to the rest of the world.  And what
an attempt at self-deception to pretend that these export controls are
effective.  I sincerely doubt that the international network community will
accept such a limitation in what claims to be an international standard.

The one good thing that may come from this initiative is that more people
will be using and relying on encryption.  Given the widespread skepticism
about the government in this country, it will be that much harder to get a
Clipper-like program into place.

But the initiative does clearly show the pernicious effects of the combined
restrictions of the RSA patents and the NSA export controls.  Together [RN]SA
provides a structured, ordered system which provides the minimal possible
privacy necessary for electronic commerce.  Far more is possible, but is un-
likely under the current legal regime.

Hal





Thread